Skip to content

Add CLAUDE.md and CI workflow#1

Merged
juniuszhou merged 3 commits into
mainfrom
ci
Jun 26, 2026
Merged

Add CLAUDE.md and CI workflow#1
juniuszhou merged 3 commits into
mainfrom
ci

Conversation

@juniuszhou

@juniuszhou juniuszhou commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • New Features
    • Added an automated CI workflow that runs formatting checks, linting, builds, and tests on pushes and pull requests.
  • Documentation
    • Added a repository guide with setup commands, project structure notes, API endpoint overview, and tips for common development tasks.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@juniuszhou, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 19 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 13d3a24b-abcb-4b30-bfab-5d493da708d7

📥 Commits

Reviewing files that changed from the base of the PR and between 0800426 and 62c2387.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • server/src/main.rs
📝 Walkthrough

Walkthrough

Adds a Rust GitHub Actions workflow that runs formatting, linting, release builds, and tests on push and pull request events, and adds a CLAUDE.md guide with repository commands and server notes.

Changes

Rust CI workflow

Layer / File(s) Summary
Triggers and job definition
.github/workflows/ci.yml
The workflow runs on push and pull request events for main and ci, and defines a build job on ubuntu-latest.
Toolchain and lint checks
.github/workflows/ci.yml
The job checks out the repository, installs stable Rust with rustfmt and clippy, then runs cargo fmt -- --check and cargo clippy -D warnings.
Release build and tests
.github/workflows/ci.yml
The workflow adds cargo build --release and cargo test --release steps.

Repository guidance

Layer / File(s) Summary
CLAUDE.md guide
CLAUDE.md
The new guide documents Rust commands, workspace structure, endpoint payloads, implementation notes, and test-running guidance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A bunny hopped through CI with cheer,
Checked fmt and clippy, crisp and clear.
Then build and tests ran bright and fast,
While CLAUDE.md helped the path hold fast.
🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the two main additions: CLAUDE.md and a CI workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 10-15: Add an explicit permissions block to the ci workflow job so
GITHUB_TOKEN is read-only, and update the actions/checkout step to stop
persisting credentials by default. The fix should be applied in the build job
around actions/checkout@v4, using the job-level permissions setting and the
checkout configuration so later cargo build/cargo test steps can run without a
persisted write-capable token unless a future step truly needs it.
- Around line 14-17: Pin the third-party GitHub Actions in the workflow to
immutable full-length commit SHAs instead of mutable tags. Update the `uses`
entries for `actions/checkout` and `actions-rs/toolchain` in the CI workflow to
their specific commit hashes, optionally keeping the version label as a comment
for readability, so the workflow references fixed revisions rather than `@v4`
and `@v1`.
- Around line 16-22: The Rust toolchain setup in the CI workflow still uses the
archived actions-rs/toolchain@v1 action, so replace it with the maintained
dtolnay/rust-toolchain action in the Install Rust toolchain step. Keep the same
toolchain/components behavior by configuring the dtolnay/rust-toolchain
invocation to install stable with rustfmt and clippy, and make sure the action
reference is pinned to a stable tag or commit SHA for supply-chain safety.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8064df4e-32cc-4bb1-94d2-0dff29a67a92

📥 Commits

Reviewing files that changed from the base of the PR and between ec14926 and 0800426.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • CLAUDE.md

Comment thread .github/workflows/ci.yml
Comment on lines +10 to +15
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Scope the job token down and stop persisting it.

This workflow only needs repository read access, but without an explicit permissions: block GitHub derives GITHUB_TOKEN scopes from the repo/org defaults, and actions/checkout persists that token for later git commands by default. Since the job then executes repository code during cargo build and cargo test, keep the token read-only and disable persisted credentials unless a later step actually needs to push. (docs.github.com)

Suggested hardening
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
build:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 10-34: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 10 - 15, Add an explicit permissions
block to the ci workflow job so GITHUB_TOKEN is read-only, and update the
actions/checkout step to stop persisting credentials by default. The fix should
be applied in the build job around actions/checkout@v4, using the job-level
permissions setting and the checkout configuration so later cargo build/cargo
test steps can run without a persisted write-capable token unless a future step
truly needs it.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +14 to +17
- uses: actions/checkout@v4

- name: Install Rust toolchain
uses: actions-rs/toolchain@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🌐 Web query:

github actions security best practices pin actions to full commit SHAs vs tags

💡 Result:

For GitHub Actions, pinning to a full-length commit SHA is the recommended security best practice over using tags [1][2][3]. Key Differences and Security Implications: * Immutability: A full-length commit SHA is immutable [4][5][6]. Pinning to it ensures your workflow executes the exact same code every time, preventing supply chain attacks where a malicious actor compromises a repository and moves existing tags to point to compromised code [7][3][6]. * Version Tags: Tags are mutable references that can be updated, moved, or deleted by repository maintainers [1][4][6]. Relying on them for security-sensitive workflows creates a vulnerability window, as an automatic update could pull in compromised code without your knowledge [4][8]. * Enforcement: GitHub supports organizational and repository-level policies that can enforce the use of full-length commit SHAs, causing workflows to fail if they use unpinned tags or abbreviated SHAs [1][9][8][3]. Recommended Implementation Strategy: 1. Use SHA Pinning: Always pin third-party actions to their full commit SHA (e.g., uses: actions/checkout@692973e) [1][4][2][5]. 2. Maintain Readability: Append the original version tag as a comment to keep the workflow human-readable and trackable (e.g., uses: actions/checkout@692973e # v4.2.1) [10][3][6]. 3. Automate Updates: Use dependency management tools like Renovate or Dependabot to automatically keep these pinned SHAs updated [10][7][3]. These tools can be configured to track the semantic versioning in your comments while updating the underlying SHA [10][7]. 4. Enforce Policies: Enable SHA pinning enforcement via GitHub's allowed actions policy to ensure compliance across your organization [9][8][3]. 5. Exercise Caution: Pinning only secures the reference; it does not protect against vulnerabilities already present in the chosen version [7][8]. Continue to vet the actions you use and consider using verified or GitHub-authored actions whenever possible [1][2][8].

Citations:


Pin third-party actions to full-length commit SHAs.

Both actions/checkout@v4 and actions-rs/toolchain@v1 currently use mutable tag references. GitHub security guidance recommends pinning to full-length commit SHAs to ensure immutability and prevent supply chain attacks where tags are moved to compromised code.

Update the uses to their specific commit SHAs, optionally adding the version tag as a comment for readability (e.g., uses: actions/checkout@<SHA> # v4).

Current snippet
    - uses: actions/checkout@v4

    - name: Install Rust toolchain
      uses: actions-rs/toolchain@v1
🧰 Tools
🪛 actionlint (1.7.12)

[error] 17-17: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 17-17: action or reusable workflow from archived repository (archived-uses): repository is archived

(archived-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 14 - 17, Pin the third-party GitHub
Actions in the workflow to immutable full-length commit SHAs instead of mutable
tags. Update the `uses` entries for `actions/checkout` and
`actions-rs/toolchain` in the CI workflow to their specific commit hashes,
optionally keeping the version label as a comment for readability, so the
workflow references fixed revisions rather than `@v4` and `@v1`.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
@juniuszhou juniuszhou merged commit 4a0d854 into main Jun 26, 2026
3 checks passed
@juniuszhou juniuszhou deleted the ci branch June 26, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant